Re: Unbound in base, yes, what about ldns?
On Sun, 23 Mar 2014, Chris Smith wrote: From: Chris Smith obsd_m...@chrissmith.org To: Stuart Henderson s...@spacehopper.org Cc: OpenBSD-Misc misc@openbsd.org Date: Sun, 23 Mar 2014 22:09:00 Subject: Re: Unbound in base, yes, what about ldns? ... How about this line added to rc.conf.local when using the package: syslogd_flags=${syslogd_flags} -a /var/unbound/dev/log Is it still needed or should it be removed? Probably. If you're running chrooted and logging to syslog, you should still need this line. See the manual page for unbound.conf. A cursory reading indicates it doesn't seem to have materially changed from the version in the port/package. *But* cursory reading has let me and others down badly in the past :-( -- Dennis Davis dennisda...@fastmail.fm
Re: Unbound in base, yes, what about ldns?
On Thu, Mar 20, 2014 at 7:39 PM, Stuart Henderson s...@spacehopper.org wrote: You can uninstall the package if you don't need it, or you can keep it if you do need it (for example, for drill or the ldns-* tools). How about this line added to rc.conf.local when using the package: syslogd_flags=${syslogd_flags} -a /var/unbound/dev/log Is it still needed or should it be removed? Thanks, Chris
Re: Unbound in base, yes, what about ldns?
On Fri, Mar 21, 2014 at 01:41:37PM +, Stuart Henderson wrote: Kind-of; things will work properly if the validator is enabled now, and it's less bad than having /var/unbound/etc writable, but would really prefer to not have anything at all in the chroot be writable by the unprivileged _unbound user. Privilege separation would be desirable for this. Just out of curiosity: how come the shipped unbound.conf file mentions the module-config: setting? It appears to me that validator iterator is the default, or am i missing something? Regards, Patrik Lundin
Re: Unbound in base, yes, what about ldns?
On Wed, Mar 19, 2014 at 7:44 PM, Chris Smith obsd_m...@chrissmith.org wrote: See the thread unbound dnssec revisited I started on 12/30/2013 for some hints. Looks like creating a new directory with the proper permissions is the best way to go. Now fixed in -current with a /var/unbound/db directory. Thanks Stuart! Chris
Re: Unbound in base, yes, what about ldns?
On 2014/03/21 09:30, Chris Smith wrote: On Wed, Mar 19, 2014 at 7:44 PM, Chris Smith obsd_m...@chrissmith.org wrote: See the thread unbound dnssec revisited I started on 12/30/2013 for some hints. Looks like creating a new directory with the proper permissions is the best way to go. Now fixed in -current with a /var/unbound/db directory. Thanks Stuart! Chris Kind-of; things will work properly if the validator is enabled now, and it's less bad than having /var/unbound/etc writable, but would really prefer to not have anything at all in the chroot be writable by the unprivileged _unbound user. Privilege separation would be desirable for this.
Re: Unbound in base, yes, what about ldns?
Thanks. 2014-03-20 1:44 GMT+02:00 Chris Smith obsd_m...@chrissmith.org: See the thread unbound dnssec revisited I started on 12/30/2013 for some hints. Looks like creating a new directory with the proper permissions is the best way to go. On Wed, Mar 19, 2014 at 7:01 PM, Àòàíàñ Âëàäèìèðîâ don.na...@gmail.com wrote: Hi, Sorry for Off-topic, but when you enable DNSSEC validation and fetch a root key with unbound-anchor(8) (needs root) the following error shows up in /var/log/messages: unbound: [0:0] error: could not open autotrust file for writing, /etc/root.key.29136-0: Permission denied May be this is because _unbound user has no rights to write to /var/unbound/etc/ after chroot. Am I correct? Any solutions? Best regards, Atanas
Re: Unbound in base, yes, what about ldns?
On 2014-03-19, Chris Smith obsd_m...@chrissmith.org wrote: On Wed, Mar 19, 2014 at 6:12 PM, Kenneth Westerback kwesterb...@gmail.com wrote: The unbound in base has it's own cut down version of ldns. No need for the package. Can I just uninstall the package after the fact or do some files need to be replaced? Thanks, Chris You can uninstall the package if you don't need it, or you can keep it if you do need it (for example, for drill or the ldns-* tools).
Unbound in base, yes, what about ldns?
Great to see Unbound in base, thanks. But what about ldns? I still have that installed as a package - removed the unbound package as per the -current instructions, but shouldn't the ldns package package be removed as well as I believe unbound requires it and therefore it would have to be built by base as well. Or am I off-base? Thanks, Chris
Re: Unbound in base, yes, what about ldns?
On 19 March 2014 18:09, Chris Smith obsd_m...@chrissmith.org wrote: Great to see Unbound in base, thanks. But what about ldns? I still have that installed as a package - removed the unbound package as per the -current instructions, but shouldn't the ldns package package be removed as well as I believe unbound requires it and therefore it would have to be built by base as well. Or am I off-base? Thanks, Chris The unbound in base has it's own cut down version of ldns. No need for the package. ... Ken
Re: Unbound in base, yes, what about ldns?
On Wed, Mar 19, 2014 at 6:12 PM, Kenneth Westerback kwesterb...@gmail.com wrote: The unbound in base has it's own cut down version of ldns. No need for the package. Can I just uninstall the package after the fact or do some files need to be replaced? Thanks, Chris
Re: Unbound in base, yes, what about ldns?
Hi, Sorry for Off-topic, but when you enable DNSSEC validation and fetch a root key with unbound-anchor(8) (needs root) the following error shows up in /var/log/messages: unbound: [0:0] error: could not open autotrust file for writing, /etc/root.key.29136-0: Permission denied May be this is because _unbound user has no rights to write to /var/unbound/etc/ after chroot. Am I correct? Any solutions? Best regards, Atanas
Re: Unbound in base, yes, what about ldns?
See the thread unbound dnssec revisited I started on 12/30/2013 for some hints. Looks like creating a new directory with the proper permissions is the best way to go. On Wed, Mar 19, 2014 at 7:01 PM, Атанас Владимиров don.na...@gmail.com wrote: Hi, Sorry for Off-topic, but when you enable DNSSEC validation and fetch a root key with unbound-anchor(8) (needs root) the following error shows up in /var/log/messages: unbound: [0:0] error: could not open autotrust file for writing, /etc/root.key.29136-0: Permission denied May be this is because _unbound user has no rights to write to /var/unbound/etc/ after chroot. Am I correct? Any solutions? Best regards, Atanas